Boots conceal from customers, breach of confidentiality ; 47 lost ‘prescriptions’ from its Chaddesden store

[The original version of this article referred to 400 prescriptions being lost ; this was the information from my source in Boots. Boots threatened legal action unless I reduced it to 47; they refused to provide any evidence for this number. A breach of confidentiality is as important for 47 people, as it is for 400; those 47 people still don’t know that their sensitive data has been lost and Boots have no intention of telling them; Boots do not know the whereabouts of the documents]

47 people who picked up their prescribed medication from the Boots store on St Mark’s Road in Chaddesden, in late August, should be concerned, and should be asking some serious questions of Boots.

The original versions of their ‘prescriptions’ were lost from the store – the whereabouts of their personal data unknown. Copies had to be re-printed to fulfil the orders.

Boots did not to tell the affected customers. Why?

Boots were asked to comment on this breach of confidentiality. The official response was:

“At Boots UK, we are committed to protecting our customers’ privacy and data security. We are aware of our legal requirements, and abide by the data protection legislation and regulatory guidance.”

Boots reported this incident to the Information Commissioner’s Office (ICO) ( which by definition means that they assessed that there was a likelihood of a risk associated with the loss). Thus far, Boots has not heard back from the ICO, and has received no advice. Boots has assumed this to mean that the ICO considers it to be low risk ; in fact the ICO has confirmed that they have a 3 month backlog in answering reports( they are still working on July reports), and that a delayed response does not imply low risk or mitigate any legal duty to inform individuals affected.

The Boots store manager at Chaddesden confirmed that there had been a breach.

What is the published ICO guidance?

Under the General Data Protection Regulations (GDPR), any information about an individual’s health is considered “sensitive data”. A prescription contains a person’s name, address, date of birth, doctor’s surgery, NHS number and also full details of the prescribed medication.

The GDPR and the supporting guidelines provided by the ICO state the actions that should be taken in the event of a data breach.

“If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.”

An example is provided on the ICO website of a loss of medical records:

“There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.”

The ICO were contacted directly by Derby News, and asked for their guidance in these exact circumstances. Their view was that the individuals impacted, should have been informed, by Boots.

NHS requirements

The documents that were lost contained prescription data, and were used to order medication from Boots central distribution – referred to as dispensing tokens. Ordinarily, Boots would have had to have informed the NHS of this loss, within 1 day so alerts could have been issued.

A spokesperson for NHS England (North Midlands) said: “An alert was not required as a result of this incident because the mislaid items were not completed prescription forms. They were dispensing tokens which cannot be used to dispense prescription items without the corresponding electronic prescription”

That means that they cannot be fraudulently redeemed, but it does not address the loss of sensitive data.

Customer Care

Boots were asked to comment on why they had not decided to take a Customer Care perspective. No answer was given; they simply referred back to their original statement.

How was this issued managed internally?

A source, who is an employee at a branch of Boots in Derby, has confirmed that they were briefed, via Boots Head Office (Nottingham), not to disclose details of this incident to customers or the surrounding doctors’ surgeries.

The same member of staff was told by the Derby Area Manager that any employee found communicating externally, informing the ICO, or informing affected customers will be subject to disciplinary measures.

Boots do not agree that such instructions were formally given.

Comment

Despite many opportunities to do so, Boots did not refute the facts of this case. The justification for their inaction was the delayed response from the ICO.

There is nothing that mandates that any organisation is not allowed to exceed the ICO’s guidance, if common sense, or their own customer care policy would demand it; after all this is sensitive health care data.

Boots decided that this loss would not be an issue for its customers; that the release of such data, in an uncontrolled way, was low risk, and that there was no need to advise the individuals affected. Their customers were not given the chance to decide for themselves!

Boots actively chose to conceal this incident from their customers …for what reason?

A member of staff at Boots, was told:

“In case it results in “loss of trust” in Boots, locally, and affects Christmas trading”!